A brilliant WordPress security article by Wordfence reinforces something I have said for a long time: every digital services provider should offer (or at least advise on) ongoing maintenance contracts. Mash certainly offers it. Why?
Because this era, when it’s so easy for DIYers to get online using a few popular digital tools, means there are more websites than ever built with the same sorts of vulnerabilities. This means big opportunities for small-time hackers.
There’s now something like 74 million sites out there built on WordPress. A good chunk of them are business sites. Your business site is probably built on WordPress. Even if you are a tiny operation, to think you are too small for a hacker to bother with is misguided.
Hackers like small, because your average hacker doesn’t want to be noticed. Hiding in the backend of a small-time site for a legitimate and unwitting business is a perfect place. These hackers are interested in your site not for what it’s doing, but for what they can make it do. While you just see your website, the Wordfence article points out that a hacker sees a server they can use for their own purposes.
Forget what you think a hacker is
First, when you think of hackers, forget Julian Assange and his political ideals, forget The Matrix and its vision of reality control, forget, indeed, the movie Hackers itself, which is just edgy teens doing industrial espionage. Most hackers are desk-bound hustlers. Petty criminals who use their limited technical skills to parasite off vulnerable websites for a quick buck. They’re fleas, not tigers.
But these hackers don’t have to be technical geniuses anway. They’re interested in easy money, not being masters of the digital universe. If they were really skilled, there is much more cash to be had doing legitimate things. An estimated 1,000 Google staff became millionaires in 2004 when the then-small company went public (among them was the inhouse massage therapist). No, the true genius of your average hacker is finding ways to make a few quick dollars.
An example, as mentioned on Wordfence: It takes a lot of computing power to generate a cryptocurrency balance, and that much power is not cheap to get. In response, some hackers have started using spare computing capacity in unwitting websites to crunch the necessary numbers. Not quite supervillain stuff, but definitely annoying to the owners of those websites.
What do hackers want with SME websites?
Chiefly, what hackers want with your site is to hijack your email database and email sending capabilities. Ever wondered where all those spam emails you get come from? Mostly, it’s from legitimate business websites that have been hacked.
The high-profile cases where a hacker compromises a system and steals millions of customer records or holds a business’s data to ransom are pretty uncommon and pretty difficult to pull off. Hijacking a site for a phishing or spam scam is actually fairly simple and often done by ‘script kiddies’.
They’re not usually kids (though some are), the term instead means they don’t know much about hands-on hacking. What they do is just scan websites for vulnerabilities using a suite of small automatic programs called scripts. They probably come snooping around your site every day.
They love WordPress sites because there are commonalities in the backend, so the script kiddies already know what the vulnerabilities are and where to find them.
A classic case of site hacking
One instance I have seen recently is completely typical of this. A friend of mine is a developer too. A small business client of his got hacked and I was asked to have a look. I found out the customer’s site had a very outdated version of Revolution Slider – a common WordPress plugin.
A hacker somewhere had figured out that in that version of Revolution Slider you could upload a file to a certain directory using a certain filename. Doing that would give you access to the folder, and folder access would then start a domino effect of more and more access until the hacker could act with full admin privileges for the whole site.
With that level of access, a hacker can upload their own site pages which are masked as real pages. The victim site still functions just like it was designed to, but it’s also now doing a lot of other things as well – and the legitimate admin probably won’t even notice.
The first they may find out about their hack is getting blacklisted by their ISP as the unwitting source of a stream of email spam. The hacker in this case is probably using one site to send all those spam emails and another to host the landing pages those emails link to. You know all those “Hot Singles Near You” pages? They’re all hosted by innocent small business sites like, say, bobsmechanic.com.au.
Prevention is better than the cure
If the process of getting un-blacklisted by your ISP is horrible (and it is), it’s even harder to get rid of a hacker who has compromised your website. If they choose to, once they have admin-level access they can infect every single website file. Anything short of replacing your entire site leaves the door ajar for them. If their access remains in even a single place, you can be hacked all over again more or less straight away.
This is definitely one of those cases when prevention is the best cure – and prevention is a relentless task. This is the ongoing maintenance contract we talked about at the start. You need it. Think of it like your car. Even if there’s nothing in it worth stealing, you still lock it. The script kiddies are those dodgy types you occasionally see roaming car parks trying every door handle in case one isn’t secure.
At Mash, we install Wordfence on every single one of our client sites to monitor anything that is even a little bit suspicious and be able to take action. If we detect something, we’re quick. We change passwords, revert to previous back-up versions of your site and change accounts. And your site slips out of the hacker’s net, and your digital reputation is safe for another day.
Basic WordPress security advice:
Never use ‘admin’ as your username. As the default, it is the most common username of all. Using it makes being hacked that much easier.
Never use a simple password. The good news is that length is more important that complexity. So, a password “I like my pet dog ralf because he is a good boy” is far stronger than something like k$%7#P.